e3p@cenet document view 



Page 1 of 1 



ANONYMOUS MESSAGE TRANSMISSION SYSTEM AND VOTING SYSTEM 



Patent number: 
Publication date: 
Inventor: 
Applicant: 
Classification: 

- international: 

- european: 
Application number: 

Priority number(s): 



JP8263575 
1996-10-11 

SAKO KAZUE; JIYOSEFU JIEI KIRIAN 
NEC CORP 

G06F 19/00; G09C1/00 

JP1 9950335493 19951222 



Also published as: 



J 

I 



EP0723349 (A2) 
US5682430 (A1) 
EP0723349 (A3) 
EP0723349 (B1) 



Report a data error here 



Abstract of JP8263575 
PURPOSE: To enable an outside observer to 
verify whether or not an election is carried out 
actually correctly by sequentially processing 
ciphered messages from senders at a mixing 
center and outputting a group of messages which 
are ciphered in random order wherein they can 
not be traced finally. 

CONSTITUTION: Voters vote through senders 
10(1), 10(2)... equipped with arithmetic means, 
suitably, personal computers. Similarly, 
respective mixing centers 11(1), 11(2)... are 
equipped with arithmetic means, suitably, 
personal computer, work stations, etc. Then the 
senders 10(1), 10(2)... report voter's ciphered 
messages firstly to an electronic bulletin board 12 
or other openly usable message means. A center 
11(i) processes respective messages reported by 
a preceeding center 1 1(i-1) and makes the 
results in shuffled order. This is carried out until 
the final center 1 1 (n) makes the totalization result 
of the voting open to the public. 
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(2) 

1 

»c«to t. «&©-& >^ £g£ * 7 -t- $>*fiaw* 
•t>^Ci , c 2 , c. fc*tUT&Hsn*jyjc£ 

(b) &-fe>:?Si **, ^PB$n5l»^<b^yfe-^?£ 

(c) Sfli© = --fe^Ci &-fe>:?Si i0 

(d) &5+-»^--fe>^C 2 ~C-i M©3* 

(e) ft»©5*^>^«-t>^c. a». «ros+-» 

(f) &3*i">^- -fe>*#, ^©*&3i©IE^tt£iE 

(g) j&SfcfcUT, 

ftfc * y "fe- Vft 6 Bfr ©E 1/ a **KT* y xt 
ft^tr. B«*y-fc-5>6aUW*. 

fcfcHT. MEXxyX (O , (d) , (e) «£S 
fc, 

(h) #5 + ->>y--t>^fc»«liS«IA*X5 i y^ 

t, 30 

( i ) mmwtt. • t>*<D®®m*m 

[B&B3] tt*«2E*0B**v-fe-5>£2b5rifc 
7J^UXAp r o v e-DECRYPTffl^ff^ 

£*V»T, ME7JK*'JXAp r ove-DECRYP 

[»*«5] M*«2e*©B**vfe-5>eabtFife 

fcfc^T, MIEffiBjXT-y^tt, F i a t - S h am i 
rfcfcjgfflf* B**yt-5>fia«rft. 
[B**6] B*«2BE«OB«^yfe-5?eai*ife 

( j) ^7t-y*xty7WSXf7ysS5!:t 
tK B*^yt-5>ei8*tt. 

[B*B7] »*«6_e«©B«^yfe-5?eai*jS 
fc*V»T, WEEWX^y^tt, TJWrfJXAp r o v 
e-SHUFFLE©«ff**t», B**yfe-5>ea& 50 



#BB¥8-2 6 3 5 7 5 

2 

m 

[81*31 8 ] B*JB 1 BB©B*> »-fe-J?fia*tt 
fc*V»T. ttBX??7 (c) , (d) , (e) tt, * 
y-fe-y £ -> * v 7)Vt S y X£ £ 6 fc#t», B£ 

IB** 9] tt£«8ESt©B£*y-fe-v£i£;£B 
JJVrf'JXAp r ove-DECRYPT£S£frU X 

(d) (e) sBig-rntft^tr, e£* 

M*S10] B*JB8E«OE*^yfe-^fiai* 
BIC«V>T. 63*5'>y-*>*«»»BfcB;t. ft 
*©5*-»2f r-fe>*C. jMBSSBttLfeBC, ft 
5 *5/>* *©#fBB»*JJ:t;iKfEi|gft& 
BUTMEBBftBffU XxyX (d) **tf-(e> 

B*B8B«©B*>yfe-i>fia* 
SCiHT, BCfiiJlXxy^fi. 7;Urf'JXAp r o 
.ve-SHUFFLEC3SSfrt5i:tSttt. B**v 

[ B£B 1 2 ] » *1 1 1 E«©B£ * y -fe- 
3Eri*K:fcV>-C. iaCKWXxy^K, F i a t - Sh a 
mi r8*BJB1-*!:i**t», B«* yt-5>fiafc* 

ffilCfc^T. BBB91*y-y:/K:. F i a t-Sham 
i rtt&Bffl-r-SEtft^tt, B£*y-fe->>£j£# 
ft. 

B#KlEB©B**5/-fe-5>4S3S* 
BfcfcVJT. BflBKW^xy^fc. Fiat-Sham 
i rB«B«f*Ct**t», B*^?t-5>fii* 

mxm 1 5 ] mmm iB«oi*^»t- s>£2£# 

StfcW. MEXf-^ (b) T, ft-fe>^S k ». 
*©B*fc*y^-5>fc*MWKHBfcaB^£iS 

m$m 1 6 ] mxm 1 e«©e* y ? -fe- -^eii* 

ttK*l»T. Xx^X (b) T. ft-fe>^S t tt, WE 
mi©3^r-»^--fe>^C. OB«ffi^TB4Hb^9 

k ©W«*#tJ, B*^yfe-^fi3KFtt. 

1 7] 1 E«©E*^ y-fe-v^* 

£fc*»T, Xf-^ (b)'T, ftfe>ys k tMHMs 

l©3*-»^--fe>^Ci a^nf^b/yir-v&S 

[w*^ 1 8 ] mxm i e*©e£* y-t-^fiaKF 

ttfcfi^T, ilESlfflS+y^'t^d It. 3S 
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(3) 

3 

i -so* y-fe-^sjaa-r* 

**c*v>t, «9E-fe>y«, ^n#i?afeo, me*? 

M*g 2 0 ] M&fl 1 9 BB©E£* vt-V&M 
jfrSfcfc^T. WE***3*S'>if "fe>*C, ©ME 

T. 

B»©-fe>^Si , S 2 , -, Si ft-t>y 
14. «nE«»*fflV»T«Hffl:^yfe-S?ft*jaU 

*g&©3*->>y • -fe>*C i ,' Ci , C. ftfl 
Sl©5+-»^--fe>^Ci 14. H&E5t»£JBtr> 

~C-i [4, MflB36ft*ffl^TKI©5*'>>y--fe>5' 
*»6©*WSn&^y*-S>*«*WKlMiU 3 SIC 

fflsan&*yfe— ^©5+~>>^--fe>^ic«t 

••fe>*C. *», BE***fl!V»Tlt®$*5/>af 

©«a©IE3tt*tt9!U ^E-O^I^^SWBa^SK ^ 
• ^xy^Bi*«*.*B**y'fe--S>ft2SS 

go 

[M««2 2] ffi$£2 lE*©B**y"fe-5>fiB 

&«tc43V>T, S9fB5^-»^--t>^(4, 

Ap r o v e - DECRYPT*^* fcCttCko 

t. ^yfe-s?ftjHrr*, B*^yfe-^«augB. 

[M&B2 4] «#B2 3E«©B*.*yfe-5>fi3l 

^©(4. 7^'JXAprove-DECRYPTS* 
frf*. B**vfe-5?fia2&BB. 
Mt$9(2 5] . «#W2 4B«©B*^yfe-yfia 

14. #ft©^yfe-5?K:»L7Jl'^UXAp r ove- 5(7 



#H¥8-2 6 3 5 7 5 

4 

DECRYPT**??**. y-fe-v£j§gfi. 

cw*«2 6] mxm2 ie«oB*^yfe-s>fia 

SBKfc^T, ME3*5'>£' *srfc-5> 
B**vfe-5>£2I8B. 

[»#B2 7] «**2 6EB©B**v-fe-5>Ga& 
gBtCfcHT. BE5**»y 
Ap r o v e-SHUFFLEfc^frTSCtlCfcoT 
^yfc-5?*»Br*, B**yfe-5>fiB8B. 

[M$4i 2 8 ] M&ll 2 6 B«©E£ * y -fe-^fioS 
EBfc*V»T, • LfcEE* 

'^Btt, TWJXAprove-SHUFFLESH 
frf*, B**yfe--5?£2IBB. 

[»*«2 9] 9tJf*«2 lEE©B**srfe-5>fia 
BBfcfc^T. #-t>ys k }4. *©«Htfl;*yfe-5? 
Sr. WIB»*SKe«H«rKa»-r*, B**y-fe-5> 

[W#«3 0] M#JI2 2B*©E**vfe->?fc3! 
HBtC&^T. £-fc>^S t 14. MBSgl©3*-»^ 
••fe>*Ci ©i»B»!H^m»T**Mt*y-fe-S>ft 

*&t», B*^yfe-5?eaaSB. 

SBK*V»T, £-fe>4^4. «F^fll/yfe-s;S«|« 
U Jl©KHMl^yfe-S>tt. t3E2ll©3*v>^ • 

2ns. B*^y-fe-s?eaa6B. 
t»*^3 2] mim2 \ wmitiM&*y±rV&k 

8Sfc*V»T. ilB*l©5*'»^'-fe>^C: «. 

3ei"3©^yfe-5?*«ar-6, B*^yfe-5?esi« 
b. 

[«*JS3 3] »*«3 2E«©B«*vfe-5>£2i 
g«lci5ViT. f»E-fe>^tt, SH^-c&D. EE*y 
*-5>tti931t£T!*.5, B*^ yfe-^eas«. 

[B&9I3 4] B*B3 3E«©B*^yfe-S?fi26- 
HBlCfc^T. WEig*(4SS«gm**-r-5. B**y 

■fc-3>eaaB. 
[»«©ffn«Ki»] 

[0 0 0 1] 

[*W©B-r*ft*»»] £©*»Htt. B*^yfe-5? 

eMtcwL. #fr. iiB=fem^s«©fc©©ia^w*s 

[0 0 0 2] 

[^b^©#S] «E««?S«t4. a^VjU^ • /1~r 
(multi-party) ffHfOfttfiS^ffl© 
l £©BE6B?t9:Bt:"3V>T*< ©ifi<t*» 

nrnfc*nT"b. 5c£fc#fc&i4sgjisnT^fcK 
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(4) 

5 

[0 0 0 3] MOSSSt+aUf^tt^ttl., 
«fcD*R«a#<©«:Il7*Pro;WS. «36anT^ 

fcHKMfcaoTfffc. 

[0 0 0 4] m&*«jh (Mi x-ne t) B*^ir> 
^''Untraceable E 1 e c t r 
onic Mail, Return Address, 10 
and Digital Pseudonyms" in 
Communication of the AC 
M. ACM, 1981, pp. 84~88(CD. Cha 

umKJ:oT*tOKJI*:£ft&. hv»t, £©*#&ffi 

A. Fu j i o k a&CfcOXiR "A P r a c t i c 
al Secret Voting Scheme f 
or LargeScale Elections", 
in Advances in Crypto logy 
-Auscrypt' 9 2, 1 9 9 2, pp. 244~ 20 

2 5 It, C. Pa r k5fc«fc0£lR "A 1 1/ 
Nothing Election Scheme a 
nd Anonymous Channel" in A 
dvances in Cryptology, Eur 
ocrypt' 9 3, 1 9 9 3, pp. 2 4 8~259 

[0 0 0 5] cn6©*SCtt«*WT***», #©±3 

fcfcA****. -rates, cn6©*sc©"5 , 6©*t>ffi 

*at>©tt, JMt©%*^#l~£*B**&S&Kiibl' 

jE3a&B#tfa*©1Ml*fll£ttUTracft 30 

*T**ttft*3;iiKa*. a*. ^©^-^if-A' 

an. B. P f i t zmannlCtSXSR "B 

reaking an efficient anon 
ymous channel" in Eurocryp 
t' 94 Proceedings, 1 9 9 4, pp. 

3 3 9~3 4 8fcE«$nTVi*<t3lC. H<Oi»Oi 

[0 0 0 6] i©^W©«^K«tn«, 5MW7lf-/t 
**, a**«*l6KiEU< ff tonfcj»»5«>&1ftlEf -5 - b 

«a©**a»#fc«fc5a*««©*-tn 
aic, «!ii©flHiati&itTt>*a-r*c:t«»-c# 

5. SSfc, £©5§0J3«, £fc, B. Pf i tzman 
n tc i o TH££ nfc«*ft tt 5 © K&£^„ 
[0 0 0 7] 

[5891©«E£] H-r^T-f >a >"\©#&©^ y 
■fe-SW, *»©5*-»^--fe>^S«T8MfK:ea 50 



&S§¥8-2 6 3 5 7 5 

6 

Sft5B£^*>*;i'#MS$ftTns. afetli/y 

>*T&D. JBl©S*-»^--fe>^*««»«««© 
/yt-i?«3»4ft6tf. H©3Er*tt«BfMSW*SCt 
.a*. £©»9Jtt, fcEfctffSflWteDHR 

wa»w©*»«ait;fflT**B*^ ? -fe-^ofiaHr 
scwr**©"?**. 

[0 0 0 8] H©*STtt, -fe>^*»6©i|MM:^yt 
—7«, 5*v>7"- t>*tc£oT>£&WtCfflg$n 

*av>JBfJ5T«H»fl24nTnan^yfe-5?©ttftfflA 

•r*. -rate's, B*?*>*jn;:fflv»snfciiH»tt. 

5*-»^-t>^ilt 5*->>^--fe>^ i - 1 
(i = l©«£fctt-fe>*0 C<toT^BB$n5^^»/ 

[0 0 0 9] 30©Xxyy©ffia*t. &3*-»$r« 
■fe>^ i (rioTfTtens. S6lOXfy^(i 
*yfe-5>©flMtll6*fc4arr*. S5 2(0X^^1, 

l3©Xfy^lt 5*-»7"--fe>*#?f!l*5cktff§ 

"How to Prove Yourself: P 
ractical Solutions to ide 
ntification and signature 

problems" in Advances in 
Cryptology-Crypto' 8 6, Spri 
nger-Verlag, 1 9 8 6, pp. 186~1 
9 9fcaii;SftTV»*F i a t-Shami rSSfflU 

t, ±tB7 f ;p-7S'ffis:^ffl©an<t5{c-r-5rt*tT 
[ooio] 3ocox7-yzf<Dmmtmt>^ft'mt. m 
swel<» catenae -&«a&BE 
*tt*wftrr44«a:av». 

[ooii] *&, £©$&?»§«, #&©7>-7&i^ 

©7*;U-7fc»£l**C2:K:.fc-3T. 7;U-7££f£ 

u fisu *xv*-r*©fc#Baaffl*«ktfs*© 

[0 0 12] £©5gflJ!«, HS*#8HlxfcKT©KWC 
[0 0 13] 

[^HJ©^ifi©^ai] C©*M©B*^yfe-^fi3l^ 
5fc£. H14S«fctfB2*#RHLTBWrr5. CO^Ctc 
«ttl«. (sender) 10 (1), 10 

(2) , io (3) -lo (i) a»s©«nnb*y-fe- 

5>tt, 5+->>^--fe>^l 1 (1) , 1 1 (2) , 1 
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(5) 
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8 



i (3) -l i (n) ct-aTji^wcffiasns. ^ 
t»^.^-b>^[c«koT. sKtisigx-rs. n«c. & 

3*-»f 9t*m »aictt/T-y^-;p 

•n>tfa-^ < 9-?Ax-i /a >««ffATV»«. 

tt-f*. 5+-»y-t>^ll (i) tt, W©5=^-> 
>^ • -t>^ 1 1 (i - 1) (i = lffl«^l;lt -fe> 

yio) cj:-3Ta»snfc#^yt-5>ft»auT, 

*©5*-»^ 1 (n) **, SJK©*M-*S* 

*«. £©<fc 5 \Z LT* yk—Vmifilz >?\z£? T*» 
fcflMMfcSttSfl*. i5J:tfi:©J:5»;:LTS*-»:5f • 
•fe>^l 1 (i) *%^7t-y«IT5»!(i^, Sk 

[0014] mm\z. &m\zm%?z>x>TjT-<> ? 

[0015] 



10 



(G 



(g mod 

(i) \z&z>mm<Dittb\z 



£. • -fe>* 1 1 

[0 0 19] ^BJ^fas#llf^>fc«)(C, 5*y>^-t 

•fh%Z <7>mf?~Cftt>tl < T*>«fc V». 
[0 0 2 0] A* (G, , Mi ) CfcBT, 
•-fe>*l 1 (i) (1 = 1. n-1) tt, 

[0 0 2 1] 
tt5] 



50 



40 



' [ftl] 

P=kq+1 

*»P, Q*fflV»*.JltKH«r*i5«««»*. fig' 
«\ mod p©£j*7G£U g£. 

[0016] 

»2] 

k 

g= (g' ) mod p 

6**-»^--fe>*l 1 (i) H, 
[0 0 17] 
[»3] 



y j = g mo d p 

&fc£>(C, wi tefltyi + i yi+2 —y. S^b, w. — 

[0 0 18]" 
[ft4] 

(w fl ) .m mod p) 

G^j =G 4 • g mod p 



=g mod p 



= Gj mod p 



/H mod p 



-w r ° + 



fr. 



50 



• m mod p 

*tt*U (Gi , Mi ) »C*ff&-r^> (H. + , ) 
■f5. ft (Gi + i , Mim ) tefiS©& i ©J&ax-^lffl 
T?>'*y7Jl<$tt£&£, $*y>^-t>^l 1 (i 
+ 1) CJ:*«ffiOfc»lcaiB3n*. 
[0 0 2 2] 5^y>^.-b>^l 1 (i) A* 
(Gi , g, yi , H i+ i ) tCjttLT, prove-D 
ECRYPT7;^UXAft*fff*. TWUXAp 
rove-DECRYPT©iailt eTRcSaft*. 
^©T^rf'JXAW^fTtt. S+y^-t^ll 
(i) #Hi»i *jEK±j*LfcCtftKWr*. Jfc 
IC, 3*-»^'-fe>*l 1 (i) 14, prove-S 
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(6) 



#H¥8-2 6 3 5 7 5 



10 



HUFFLE7;i/=fDXA£Hffr-5. T^rf'JXAp 
r o ve-SHUFFLEOlBjzEtt, aTKjRSfl*. 

< ? 7JH/fcc t fciPj-r*. 

[0 0 2 3] S*v>X--fe>* 1 1 (n) tt. 

[0 0 24] 

[»6] 

m=M a /G n n mod p 

fcillJWSCifcioT, A* (G» , Mo ) m i0 

[0 0 2 5] ^{C, S*v>^--fe>*l 1 (n) B, 
A* (C , g, y. , M. /m) fc*f UJ^rT'J XA 
p r o ve-DECRYPTSrUfff-S. 

[0 0 2 6] Tjprf'JXAp r ove— DECRYPT 
£<fcr/p r ove-SHUFFLE(roViTSiBJ-r§. 
^ne.7;VrfiJXAB, X;U-A* (prover) *5<t 
tf"*y 7r-f 7 (verifier) - 0|MP#6&*. 
^'J7 7'f7©m?J<>:LT, KTICBMWSJ: 5 K, 7 

[0 0 2 7] TJWUXAprove-DECRYPT 

£*«»■•&. iioroxfyyit #*.&n&GK:*n,T 

tt^fcHfrU H=G* mod pSifefirr-S. 
7« v (G, g, y = g' mod p, H) ifl^-X^tl 

H*. ^©t*5DT*-5. prove 

-DECRYPT 

1. XJU-A«, 50 
[0 0 2 8] 
[*7] 

r € Z H 

y' =g r nod p 
G' =G r mod p 

X;V-A«. (y' , G' ) Srj§&. 

[0 0 2 9] 2a. IS^l/2t?» ^U7r-f7«, 7 40 
;U-A'(C r di:S:S*-rs. ^U7r-f7tt. 
y' ^fcitfG' #r£*JfL&^Ilfcfc^xy 

[0 0 3 0] 2b. «l^l/2-C> *U7r-f7tt; 7 

"f7tt, 
[0 0 3 1] 
[»8] 



50 



y' -g • y mo d p and 
G' =H • G r mod p 

7^rf'JXA©«rr 

7;Vrf U XA p r o v e - S HU F F L E ZWtW? Sfc 
Ate. XDh3;P©$g2©*x-;/7"£, fitTfcfctft-f 

So 

[0 0 3 2] £&g, w£J;tf 

[0 0 3 3] 

[»9] 

(1) 



A = 



i 



*«4A&ft&WrK:, «2©7f"^i r, , r 2 , 

[00 34] 
[&1 0] 

(1). *«> 



B = 



mod p 



XOGT*t), a i <2) «M/H-efcS. X^-7», 
(A, B, g, w) #W&nfcl»IC. BttA*>f,^© 
J:3fcLTtJ«SnfcJ:t*wUTlr»*. 7;Wrf'JXA 
», ^©t*50Tfe-5. p r o ve-SHUFFLE 

1. zf)V-n\t, 

[0 0 3 5] 
«1 1] 

t e , 7>^Ag»A*«yf 

i A(1) (1) .^ (1, m od p 
, A(I) < 2 >.w^«>mod p 

[0 0 3 6] X;l/-Att, CSritS. 

[0 0 3 7] 2a. &mi/2-?. ^'J7r-f7B, X 

-T7«> C#A, A, t, tyil/SH^t^i"^ 

[0 0 3 8] 2b. ^1/2T?, W7 7 47\V7)V 
-A'tC, A ' =Ao rc-'&cfctft' i =t. -r' i $ 
jRTciSS*?-*. ^U7r-f7tt, ^©JcSCU 

•t, B^e.c*i^T#?>c:t^x^i7-r5. 
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11 



12 



[00 3 9] 
mi 2] 



B = 



(1> 



.(2) 



\zMV 

[0 0 4 0] 
[ftl 3] 



10 



c = 



b A' (1) 



0) 



t' 



t' 



y o) 



mod p 
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1. Title of Invention 

Secure Anonymous Message Transfer and Voting Scheme 

2. Claims 

L. A method of secure anonymous message transfer from a plurality of senders 
by use of a plurality of mixing centers comprising the steps of: 

(a) choosing constants which are posted for senders 5i,52,---,S/ 
and mixing centers, C u Cj, • • • ,C n ; 

(b) each sender constructing an encrypted message which is posted; 

(c) a first mixing center C\ processing the posted messages from each 
sender Sk which processed messages are then posted for use by 
the next center; 

(d) each mixing center C 2 through G % ~\ sequentially processing the 
processed messages from the previous center,, which sequentially 
processed messages are then posted for use by the next center; 

(e) the last mixing center C n processing messages from the previous 
center C n ~\ and posting the result; 

(f } each mixing center proving the validity of its processing, which 
proof is posted; and 

(g) channel checker verifying correctness of the execution from posted 
messages when necessary. 
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2. A method of secure anonymous message transfer as set forth in claim 1, where 
steps (c),(d) and (e) further comprises; 

(h) providing each mixing center with a secret key; and 

(i) said processing including using the secret key of a respective 
mixing center. 

3. A method of secure auonymous message transfer as set forth in claim 2, where 
said proving comprises executing algorithm prove-DECRYPT. 



4. A method of secure anonymous message transfer as set forth in claim 3, where 
said executing algorithm prove-DECRYFT is executed for multiple messages 
together. 



5« A method of secure anonymous message transfer as set forth in claim 2, where 
said proving comprises applying the Fiat-Shamir method. 



6. A method of secure anonymous message transfer as set forth in claim 2, fur- 
ther comprising (j) shuffling the messages. 

7. A method of secure anonymous message transfer as set forth in claim 6 , where 
said proving further comprises executing algorithm prove-SHUFFLE. 
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8. A method of secure anonymous message transfer as set forth in claim 1, where 
steps (c), (d), and (e) further comprises shuffling the messages. 



9. A method of secure anonymous message transfer as set forth in claim 8, where 
after the last mixing center C n posts the result, each mixing center executes 
algorithm prove-DECRYPT using the result. 

10. A method of secure anonymous message transfer as set forth in claim 8, fur- 
ther comprising providing each mixing center with a secret key and where 
after the last mixing center C„ posts the result, each mixing center performs 
said processing using its respective secret key and the result. 



1 1 . A method of secure anonymous message transfer as set forth in claim 8, where 
said proving comprises executing algorithm prove- SHUFFLE. 



12. A method of secure anonymous message transfer as set forth iu claim 11, 
where said proving comprises applying the Fiat-Shamir method. 



13. A method of secure anonymous message transfer as set forth in claim 8, where 
said proving comprises applying the Fiat-Shamir method. 



14. A method of secure anonymous message transfer as set forth in claim 1, where 
said proving comprises applying the Fiat-Shamir method. 
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15. A method of secure anonymous message transfer as set forth in claim I, 
where in step (b) each sender 5'* posts its encrypted message substantially 
simultaneously. 



16. A method of secure anonymous message transfer as set forth in claim 1, where 
in step (b) each sender Sk constructs its encrypted message using a key of 
said first mixing center C\ and said encrypted message includes a signature 
of a respective sender Sk* 

17. A method of secure anonymous message transfer as set forth in claim 1, where 
in step (b) each sender S* constructs an encrypted message which is publicly 
revealed after said first mixing center Ci receives a respective encrypted mes- 
sage. 



18. A method of secure anonymous message transfer as set forth in claim 1, said 
first mixing center C\ processing only legitimate messages and processing 
only one message from each sender. 



19. A method of secure anonymous message transfer as set forth in claim 18, 
where said senders are voters and said messages are votes. 



20. A method of secure anonymous message transfer as set forth in claim 19, 
where said processing of said last mixing center C n comprises computing a 
tally. 
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21. An apparatus for secure anonymous message transfer comprising; 
a bulletin board having constants; 

a plurality of senders, S u S 2 , . . St, each sender S k constructing 
an encrypted message usiug the constants and posting said en- 
crypted message to said bulletin board; 

a plurality of mixing centers, Cj, C 2 , • • », C n , a first mixing cen- 
ter Ci processing the posted messages from each sender using 
the constants and posting a processed message to said bulletin 
board for use by the next mixing center, each mixing center C 2 
through C n _i sequentially processing the processed message from 
the previous mixing center using the constants and posting a fur- 
ther processed message to said bulletin board for use by the next 
mixing center, the last mixing center C n processing messages 
from the previous center C n _t using the constants and posting 
the result on said bulletin board; 

means associated with each respective mixing center for proving the 
validity of the processing of the respective mixing center, which 
proof is posted on said bulletin board; and 

channel checking means for verifying the correctness of execution 
from posted messages. 



22. An apparatus for anonymous message transfer as set forth in claim 21, further 
comprising secret key means associated with each respective mixing center 
for providing a secret key to said respective mixing center for processing mes- 
sages. 
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23. An apparatus for anonymous message transfer as set forth in claim 22, where 
said mixing center processes messages by executing algorithm prove-DECRYPT, 

24. An apparatus for anonymous message transfer as set forth in claim 23, where 
each said means associated with each respective mixing center executes al- 
gorithm prove-DECRYPT. 



25. An apparatus for anonymous message transfer as set forth in claim 24, where 
each means associated with each respective mixing center executes algorithm 
prove-DECRYPT for multiple messages. 



26. An apparatus for anonymous message transfer as set forth in claim 21, where 
said mixing center processes messages by shuffling messages. 



27. An apparatus for anonymous message transfer as set forth in claim 26, where 
said mixing centers process messages by executing algorithm prove-SHUFFLE. 



28. An apparatus for anonymous message transfer as set forth in claim 26, where 
each said means associated with each respective mixing center executes al- 
gorithm prove-SHUFFLE. 
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29. An apparatus for anonymous message transfer as set forth in claim 21, where 
each sender S* posts its encrypted message to said bulletin board substan- 
tially simultaneously. 



30. An apparatus for anonymous message transfer as set forth in claim 22, where 
each sender Sk constructs its encrypted message using said secret key of said 
first mixing center Ci and including a signature of the respective sender Sk- 

31. An apparatus for anonymous message transfer as set forth in claim 21, where 
each sender constructs an encrypted message which is publicly revealed after 
said first mixing center Ci receives a respective encrypted message. 



32. An apparatus for anonymous message transfer as set forth in claim 21, said 
first mixing center Ci processing only legitimate messages and processing 
only one message from each sender. 



33. An apparatus for anonymous message-transfer as set forth in claim 32, where 
said senders are voters and said messages are votes. 



34. An apparatus for anonymous message transfer as set forth in claim 33, where 
said result comprises a tally. 



-818- 



(17) 



ftM¥8-2 6 3 5 7 5 



3. Detailed Description of Invention 



Field of Invention 

The present invention relates to secure anonymous message transfer and specifi- 
cally, to number-theoretic methods and apparatus for secure electronic voting. 

Background of the Invention 

Secure electronic voting is one of the most important applications of secure multi- 
party computation. Yet despite extensive work on this subject, no complete so- 
lution has been found in either the theoretical or practical domains. Even the 
general solutions to secure multi-party protocols fail to exhibit all of the desired 
security properties of elections. 

A number of more practical voting protocols have been proposed, with widely 
differing security properties. Schemes based on anonymous channels/mixers have 
become very popular due to their superior efficiency and the arbitrary nature of 
the votes that are allowed. 

Mix-net anonymous channels were first proposed by D. Chaura in an article en- 
titled "Untraceable Electronic Mail, Return Address, and Digital Pseudonyms" 
in Communication of the ACM, ACM, 1981, pp 84 to 88. Subsequently, many 
voting schemes have been proposed based on this basic technique as in an article 
by A. Fujioka et al, entitled "A Practical Secret Voting Scheme for Large Scale 
Elections," in Advances in Cryptology - Auscrypt '92, 1992, pp. 244 to 251, and 
in an article by C. Park et al, entitled "All/Nothing Election Scheme and Anony- 
mous Channel" in Advances in Cryptology, Eurocrypt '93, 1993, pp. 248 to 259. 

These schemes are efficient, but have the following shortcomings. The simplest 
of these schemes does not allow a voter to securely protest the omission of a vote 
without allowing a malicious voter to block the election. After the election, each 
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voter is typically responsible for checking that their vote was correctly tallied. 
There is usually no way for an outside observer to later verify that the election 
was properly performed. Furthermore, some anonymous channels are vulnerable 
to an attack as described in an article by B. Pfitzrnann entitled "Breaking an 
efficient anonymous channeP in Eurocrypt '94 Proceedings, 1994 3 pp. 339 to 348. 

In accordance with the teachings of the present invention, a secure anonymous 
channel and a voting scheme are described in which an outside observer can verify 
that the election was indeed performed correctly. Therefore omission of a vote 
can be detected by anyone, without fear of a malicious voter blocking the elec- 
tion. Furthermore, the present invention also helps thwart an attack proposed by 
B. Pfitzrnann, supra. 

Summary of the Invention 

A secure anonymous channel is described where multiple messages to a same 
destination are tranferred securely though multiple mixing centers. If the mes- 
sages to be 8ent are votes where the destination is a vote-counting center and the 
first mixing center accepts messages of valid voters, then this scheme becomes a 
secure voting scheme. The present invention generally refers to an anonymous 
message transfer scheme where secure electronic voting is a practical application 
of the more general invention. 

In the scheme, encrypted messages from the senders are successively processed by 
the mixing centers until the last center outputs a randomly, untraceably ordered 
set of unencrypted messages. That is, the encryptions used for the anonymous 
channel have been stripped off or decrypted. At a high level, the senders first 
post their encrypted messages, mixing center a processes each message posted by 
mixing center i — 1 (or the senders, when i = 1) and posts the results in permuted 
order. 
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A three-step procedure is followed by each mixing center i. The first step is 
posting decrypted results of each input message. The second step is mixing the 
results and posting them in permuted order. The third step is proving that the 
centers correctly executed the first and second steps. The Fiat-Shamir technique 
as discussed in an article entitled "How to Prove Yourself: Practical Solutions to 
identification and signature problems" in Advances in Cryptology - Crypto ; 86, 
Springer- Verlag, 1986, pp. 186 to 199, can be used to make the above proofs non- 
interactive. 

At the conclusion of the three step process or at a later time, any interested 
party can cbeck the resulting proofs to confirm that the messages have all been 
handled correctly. With this method for achieving universal verifiability there is 
no need for adding redundancy to the messages. 

Also, the invention results in a method which reduces the amount of commu- 
nication and computation necessary to generate, transmit and check the proofs 
by combining multiple proofs into a single proof. 

The present invention will be best understood when the following description 
is read in conjunction with the accompanying drawing. 

Detailed Description of the Invention 

The anonymous message transfer scheme comprising the present invention will 
now be described with reference to Figures 1 and 2. In accordance with the 
scheme, encrypted messages from senders 10(1), 10(2), 10(3). . .10(1) are succes- 
sively processed by the mixing centers 11(1), 11(2), 11(3). . .ll(n) until the last 
center provides as its output a randomly, untraceabfly ordered set of unencrypted 
messages. Voters cast their ballot by means of a sender which comprises a com- 
puting means, preferably a personal computer but it may also be a workstation 
or the like. Similarly, each mixing center comprises a computing meaus, prefer- 
ably a personal computer, a workstation or the like. The senders first post their 
encrypted messages preferably on an electronic bulletin board or other publicly 
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available messaging means. Mixing center ll(i) processes each message posted by 
the previous mixing center 11(» - 1) (or the senders 10, when » = I) and posts 
the results in permuted order until the last mixing center ll(n) posts the result 
or tally of the voting. Having set forth an overview of the scheme, the detail of 
how a message m is initially encrypted by a sender and how a mixing center 1.1 (i) 
processes each message will now be described in detail. 

Initially, entities participating in the voting, i.e. the senders and the mixing 
centers, need to agree on using prime numbers p and q where the following rela- 
tionships exist for some integer Jb: 

P-kq+1. 

The value g 1 is a generator mod p and g is equal to 

g= («' ) k mo d p. 

Assume there are n mixing centers. Each mixing center 11(a) generates a integer 
Xi 6 Z* wid publishes x 

y { =g 1 mod p 

as its public key and keeps at, as its secret key. For the purpose of simplification, 
Wi will represent the product yw+i • • • yn and w n = 1. 

The message from a sender 10 is m. The sender generates a random number r 0 , 
and posts 

(G l' M l )a(g mod P- Cw 0 )°.m mod p) 

for use by mixing center 11(1). 

For ease of explanation, the three steps of decrypt, shuffle and prove of the cen- 
ters will be described in this order. However, implementation does not necessarily 
require the steps to be performed in this order, 
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In response to input (G«,Afc), mixing center 11 i{i = l,---,n - 1) generates a 
random number r< (independently for each message-pair) and calculates the fol- 
lowing values using the secret key Xfl 



»g mod p 
"* g mo d p 



x i 

Hj + j ■= Gj mod p 



W " M i * w i /H i+| mod p 



= Wj • m mod p 



aud porfts [Hi+i) corresponding to (G t -,A/i). The value ((?,«+,, M< +1 ) is posted, 
permuted with the other processed messages for use by mixing center 11 (s + 1). 

The mixing center 1 1 (i ) executes a pro ve-DECRYPT algorithm for inputs g, y i% ). 
The description of the algorithm prove-DECRYPT is given in below. Execution of 
this algorithm proves that mixing center 11 (2) generated /f t+1 correctly. Mixing 
center ll(t) then executes a prove-SHUFFLE algorithm, a description of which is 
given below. Execution of this algorithm proves that the mixing center shuffled 
honestly. 

Mixing center ll(n) recovers m from input Mi) by computing: 

x 

m=M /G n mod p 
no • 

The mixing center ll(n) then executes the prove-DECRYPT algorithm for inputs 

{G n} g,y {l M n /m). 
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The algorithms prove-DECRYPT and prove-SHUFFLE will now be described. The 
algorithms involve a prover and a verifier. The verifier may be a random beacon 
or an output of a suitable hash function, as is described below. 

In order to describe the algorithm prove-DECRYPT, the first phase of the pro- 
tocol is abstracted as follows. Given G, the first step comprises performing 
decryption in order to generate H = G x mod p. The proof comprises, given 
(G, g> y = g x mod p, //), showing that H is generated in this manner from G. The 
algorithm is as follows: 

prove-DECRYPT 
1. The prover uniformly chooses r € Z p _i. 

Let y' -g F mod P 
G' =G r mo d p. 

The prover sends (y',G'). 

2a. With probability 5, the verifier asks the prover to reveal r. The verifier checks 
that y r and G" are consistent with r. 

2b. With probability \> the verifier asks the prover to reveal r' = r - a. The 
verifier checks that 

r ' 

y /=s g • y mod p and 
G' =H • G r ' mod p, 

end of algorithm 

In order to describe the algorithm prove-SHUFFLE, the second step is abstracted 
as follows. 
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Given constants g, w and 




the second step comprises generating r l7 r 2 , . . . and a permutation 7r and generating 
a set of pairs 




Here a"' refers to G's and a) 2 ' refers to M/Ws in the first step. The proof com- 
prises, given (A, B,g y w), showing that B could be generated in this manner from 
A. The algorithm is as follows: 

prove-SHUFFLE 

1. The prover uniformly chooses t € Z P -i, random permutation A and 



The prover sends C. 

2a. With probability |, the verifier asks the prover to reveal A and t,\ The verifier 
checks that C is consistent with A, A, U in that way. 
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With probability the verifier asks the prover to reveal A' = Ao 7r~ l and 
t[ = t { - The verifier checks that C can be generated from B in the 
following way: 



End of algorithm 

Each execution of the algorithms prove-DECRYPTor prove-SHUFFLE finds a cheat- 



pendent executions are necessary. 

While these algorithms are given in terms of a verifier, a more efficient solution is 
to use the Fiat-Shamir method of eliminating interaction. First, the protocol is 
run many times (on the order of 40 or 60) in order to make the probability of with- 
standing all of the challenges exceedingly small. Then the verifier is replaced by a 
suitably a random looking" hash function which generates the challenges from the 
proverb posting in Step 1 of the algorithms prove-DECRYPT or prove-SHUFFLE. 
This heuristic of Fiat-Shamir method is described in an article entitled "How to 
Prove Yourself: Practical solutions to identification and signature problems" in 
Advances in Cryptology- Crypto '86, Springer- Verlag, 1986, pp. 186 to 199. This 
way the prover can send all the messages to the verifier in a single message. This 
message is posted for public access. 





t' 



ing prover with probability 



\. In order to raise this probability closer to 1, inde- 
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The bulk of the computation and communication required to execute algorithm 
prove-DECRYPT for each of the messages from previous centers can reduced. By 
combining many of the proofs into a single proof, the centers can efficiently prove 
they decrpyted all of the inputs correctly. 

It is necessary to show that the following equation holds for each pair (GB.ffB), 

H (j) - {G (3) )*mod p 

The above equations are reduced to the following single equation using randomly 
chosen coefficients^: 

n (H (j) )° j = n <(G (j) ) Cj ) x mod p 
i 

A center can execute the above protocol where 
G = thiG^y; and H = UAH®)*. 



Advantage is made of the fact that if one or more of the original equations is 
wrong, then if the coefficients are chosen randomly, the final equation will also 
be wrong with high probability. These random coefficients must not be chosen 
by the prover, but should be provided by a verifier, beacon or as the output of a 
suitable hash function. 
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Similarly, as a variation of the above scheme, the following two round anonymous 
channel can be constructed. In the two round anonymous channel, each mixing 
center ll(i), on inputs (G i% Mi) first shuffles the inputs to (G, • g ri mod p,M { • 
u# mod p) and passes the shuffled values in a random order to the next center. 
Each center executes the prove-SHUFFLE algorithm (with some constants fixed 
to this scheme) to prove the correctness of the information. When the shuffled 
messages are finally provided to the mixing center ll(n), mixing center ll(n) pub- 
lishes G n+1 and M n + t for each message. Then each mixing center ll(t) publishes 
H i = GS+i- The mixing center ll(i) executes the prove-DECRYPT aJgorithm with 
input (Gn+i,0, Hi) to prove the correctness. The message m can be recovered by 

In order to avoid vote-duplication attack, each sender may sign and encrypt the 
message to be posted. That is, the sender may sign the output of a message 
to be posted. By signing the output of a message constructor (described below) 
and then encrypting the message using the public key of the first center 11(1), a 
malicious sender cannot copy another sender's message, since the copied message 
would not have the correct signature. Moreover, the message is encrypted in a 
manner such that the message cannot be decrypted, nor can a different signature 
be affixed to the encrypted message. 

Alternatively, the first center may conceal all of the message from the senders 
until each sender has posted a note or message. 

In order to prevent the first center 11(1) and a malicious sender from conspiring, it 
is possible to use a conventional secure commitment scheme such as that discussed 
in an article by M. Naor, entitled "Bit commitment using pseudo- randomness," 
in Advances in Cryptology - CRYPTO l 89, 1989, pp. 128 to 136. 

Having described a preferred method of practicing the present invention, pre- 
ferred embodiments useful for practicing the invention will now be described. 
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Figure 1 schematically illustrates a preferred embodiment for practicing the in- 
vention. The senders 10(1), 10(2), 10(3),. . . 10(*) and mixing centers 11(1), 11(2), 
11(3). . .ll(n) use personal computers or workstations connected to a conventional 
electronic bulletin board 12. All parties (senders, verifiers, centers and the like) to 
the message transfer process interact by posting messages to and receiving mes- 
sages from the bulletin board. Senders can also serve as centers. The personal 
computers either contain software to perform the method described above or alter- 
natively contain in hardware or software embodiments of the elements described 
in Figure 2. 

Figure 2 illustrates how messages are anonymously transferred. Each message con- 
structor 14(1), 14(2), 14(3)... 14(/) of message sender 10(1), 10(2), 10(3). . A0{£) 
generates an encrypted message 16(1), 16(2), 16(3),. . -16(£), using constants 15 as 
described above. The encrypted messages 16 are posted to the electronic bulletin 
board 12. Then each mixing center ll(t) reads as its input, message 17(i — 1) 
from the bulletin board 12. (mixing center 11(1) reads the encrypted message 
16.) The mixing center then follows the sequence process decrypt 19, shuffle 20, 
prove-DECRYPT 21, prove-SHUFFLE 22 using its secret key 23(i) as described 
above. The processed messages and proofs 17(i) are posted to the electronic bul- 
letin board. (Mixing center ll(n) posts decryted messages 18.) In the case of 
electronic voting, mixing center ll(n) will post a tally of the votes 

Figure 3 schematically illustrates a channel checker 24. The channel checker 24 
receives constants 15, encrypted messages 16, a set of processed messages and 
proofs 17(1), 17(2)... and decrypted messages 18 and determines whether the 
message transfer was processed as specified above, thus indicating a valid or. in- 
valid channel. That is, the channel checker includes a verifier for the proofs given 
by the mixing centers. 

Figure 4 illustrates a message constructor 14. The message constructor 14 gen- 
erates encrypted message 16 for the message 25 using constants 15 as described 
above. 
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While there has been described and illustrated a preferred method and apparatus 
of secure anonymous message transfer and electronic voting, it will be apparent 
to those skilled in the art that variations and "modifications are possible without 
deviating from the broad teachings and spirit of the present invention which shall 
be limited solely by the scope of the claims appended hereto. 



4. Brief Description of Drawings 

Figure 1 is a schematic illustration of a preferred embodiment for practicing the 
present invention; 

Figure 2 is a schematic illustration of message flow; 

Figure 3 is a schematic illustration of a channel checker; and 

Figure 4 is a schematic illustration of a message constructor. 
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1, Abstract 



A number-theoretic based algorithm provides for secure anonymous message trans- 
fer and electronic voting. A voter or sender may cast an encrypted vote or message 
that is processed through n centers in a manner which prevents fraud and authen- 
ticates the votes. Any interested party can verify that each vote has been properly 
counted. The invention can be realized by current-generation personal computers 
with access to an electronic bulletin board. 

2. Representative Drawing 

FIG. 1 
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